diff options
| -rw-r--r-- | krebs/3modules/bepasty-server.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/buildbot/master.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/nginx.nix | 190 | ||||
| -rw-r--r-- | krebs/3modules/retiolum-bootstrap.nix | 56 | ||||
| -rw-r--r-- | lass/1systems/iso.nix | 24 | ||||
| -rw-r--r-- | lass/2configs/baseX.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/buildbot-standalone.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/default.nix | 5 | ||||
| -rw-r--r-- | lass/2configs/fetchWallpaper.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/nixpkgs.nix | 2 | ||||
| -rw-r--r-- | shared/1systems/test-all-krebs-modules.nix | 1 | 
12 files changed, 51 insertions, 237 deletions
| diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index 4e035e725..0ca13366b 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -37,7 +37,7 @@ let            # TODO use the correct type            type = with types; attrsOf unspecified;            description = '' -            additional nginx configuration. see krebs.nginx for all options +            Additional nginx configuration.            '';          };          secretKey = mkOption { diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix index b31661572..d75e6c880 100644 --- a/krebs/3modules/buildbot/master.nix +++ b/krebs/3modules/buildbot/master.nix @@ -78,7 +78,6 @@ let        #    stopAllBuilds = 'auth',        #    cancelPendingBuild = 'auth'        #) -      # TODO: configure krebs.nginx        c['www'] = dict(          port = ${toString cfg.web.port},          plugins = { 'waterfall_view':{}, 'console_view':{} } diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 37db5bfe7..d539d4166 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -26,7 +26,6 @@ let        ./kapacitor.nix        ./monit.nix        ./newsbot-js.nix -      ./nginx.nix        ./nixpkgs.nix        ./on-failure.nix        ./os-release.nix diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix deleted file mode 100644 index b28e97e37..000000000 --- a/krebs/3modules/nginx.nix +++ /dev/null @@ -1,190 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import <stockholm/lib>; -let -  cfg = config.krebs.nginx; - -  out = { -    options.krebs.nginx = api; -    config = lib.mkIf cfg.enable imp; -  }; - -  api = { -    enable = mkEnableOption "krebs.nginx"; - -    default404 = mkOption { -      type = types.bool; -      default = true; -      description = '' -        By default all requests not directed to an explicit hostname are -        replied with a 404 error to avoid accidental exposition of nginx -        services. - -        Set this value to `false` to disable this behavior - you will then be -        able to configure a new `default_server` in the listen address entries -        again. -      ''; -    }; - -    servers = mkOption { -      type = types.attrsOf (types.submodule { -        options = { -          server-names = mkOption { -            type = with types; listOf str; -            default = -              [config.krebs.build.host.name] ++ -              concatMap (getAttr "aliases") -                        (attrValues config.krebs.build.host.nets); -          }; -          listen = mkOption { -            type = with types; either str (listOf str); -            default = "80"; -            apply = x: -              if typeOf x != "list" -                then [x] -                else x; -          }; -          locations = mkOption { -            type = with types; listOf (attrsOf str); -            default = []; -          }; -          extraConfig = mkOption { -            type = with types; string; -            default = ""; -          }; -          ssl = mkOption { -            type = with types; submodule ({ config, ... }: { -              options = { -                enable = mkEnableOption "ssl"; -                acmeEnable = mkOption { -                  type = bool; -                  apply = x: -                    if x && config.enable -                      #conflicts because of certificate/certificate_key location -                      then throw "can't use ssl.enable and ssl.acmeEnable together" -                      else x; -                  default = false; -                  description = '' -                    enables automatical generation of lets-encrypt certificates and setting them as certificate -                    conflicts with ssl.enable -                  ''; -                }; -                certificate = mkOption { -                  type = str; -                }; -                certificate_key = mkOption { -                  type = str; -                }; -                #TODO: check for valid cipher -                ciphers = mkOption { -                  type = str; -                  default = "AES128+EECDH:AES128+EDH"; -                }; -                prefer_server_ciphers = mkOption { -                  type = bool; -                  default = true; -                }; -                force_encryption = mkOption { -                  type = bool; -                  default = false; -                  description = '' -                    redirect all `http` traffic to the same domain but with ssl -                    protocol. -                  ''; -                }; -                protocols = mkOption { -                  type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]); -                  default = [ "TLSv1.1" "TLSv1.2" ]; - -                }; -              }; -            }); -            default = {}; -          }; -        }; -      }); -      default = {}; -    }; -  }; - -  imp = { -    security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers); -    services.nginx = { -      enable = true; -      httpConfig = '' -        default_type      application/octet-stream; -        sendfile          on; -        keepalive_timeout 65; -        gzip              on; - -        ${optionalString cfg.default404 '' -          server { -            listen 80 default_server; -            server_name _; -            return 404; -          }''} - -        ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)} -      ''; -    }; -  }; - -  to-acme = { server-names, ssl, ... }: -    optionalAttrs ssl.acmeEnable { -      email = "lassulus@gmail.com"; -      webroot = "${config.security.acme.directory}/${head server-names}"; -    }; - -  to-location = { name, value }: '' -    location ${name} { -      ${indent value} -    } -  ''; - -  to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let -    domain = head server-names; -    acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" '' -      root ${config.security.acme.certs.${domain}.webroot}; -    ''); -  in '' -    server { -      server_name ${toString (unique server-names)}; -      ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} -      ${optionalString ssl.enable (indent '' -        ${optionalString ssl.force_encryption '' -          if ($scheme = http){ -            return 301 https://$server_name$request_uri; -          } -        ''} -        listen 443 ssl; -        ssl_certificate ${ssl.certificate}; -        ssl_certificate_key ${ssl.certificate_key}; -        ${optionalString ssl.prefer_server_ciphers '' -          ssl_prefer_server_ciphers On; -        ''} -        ssl_ciphers ${ssl.ciphers}; -        ssl_protocols ${toString ssl.protocols}; -      '')} -      ${optionalString ssl.acmeEnable (indent '' -        ${optionalString ssl.force_encryption '' -          if ($scheme = http){ -            return 301 https://$server_name$request_uri; -          } -        ''} -        listen 443 ssl; -        ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem; -        ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem; -        ${optionalString ssl.prefer_server_ciphers '' -          ssl_prefer_server_ciphers On; -        ''} -        ssl_ciphers ${ssl.ciphers}; -        ssl_protocols ${toString ssl.protocols}; -      '')} -      ${indent extraConfig} -      ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))} -      ${indent (concatMapStrings to-location locations)} -    } -  ''; - -in -out diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index 4bcd596d4..53b06a702 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -1,53 +1,38 @@ -{ config, lib, pkgs, ... }: - +{ config, pkgs, ... }:  with import <stockholm/lib>;  let    cfg = config.krebs.retiolum-bootstrap; - -  out = { -    options.krebs.retiolum-bootstrap = api; -    config = lib.mkIf cfg.enable imp; -  }; - -  api = { -    enable = mkEnableOption "retiolum boot strap for tinc.krebsco.de"; -    hostname = mkOption { +in +{ +  options.krebs.retiolum-bootstrap = { +    enable = mkEnableOption "retiolum boot strap for ${cfg.serverName}"; +    serverName = mkOption {          type = types.str;          description = "hostname which serves tinc boot";          default = "tinc.krebsco.de" ;      }; -    listen = mkOption { -        type = with types; listOf str; -        description = ''Addresses to listen on (nginx-syntax). -        ssl will be configured, http will be redirected to ssl. -        Make sure to have at least 1 ssl port configured. -        ''; -        default = [ "80" "443 ssl" ] ; +    sslCertificate = mkOption { +        type = types.str; +        description = "Certificate file to use for ssl"; +        default = "${toString <secrets>}/tinc.krebsco.de.crt" ;      }; -    ssl_certificate_key = mkOption { +    sslCertificateKey = mkOption {          type = types.str;          description = "Certificate key to use for ssl";          default = "${toString <secrets>}/tinc.krebsco.de.key";      }; -    ssl_certificate = mkOption { -        type = types.str; -        description = "Certificate file to use for ssl"; -        default = "${toString <secrets>}/tinc.krebsco.de.crt" ; -    };      # in use:      #  <secrets/tinc.krebsco.de.crt>      #  <secrets/tinc.krebsco.de.key>    }; -  imp = { -    krebs.nginx.servers = assert config.krebs.nginx.enable; { -      retiolum-boot-ssl = { -        server-names = singleton cfg.hostname; -        listen = cfg.listen; -        extraConfig = '' -          ssl_certificate ${cfg.ssl_certificate}; -          ssl_certificate_key ${cfg.ssl_certificate_key}; - +  config = mkIf cfg.enable { +    services.nginx = { +      enable = mkDefault true; +      virtualHosts.retiolum-bootstrap = { +        inherit (cfg) serverName sslCertificate sslCertificateKey; +        enableSSL = true; +        extraConfig =''            if ($scheme = http){              return 301 https://$server_name$request_uri;            } @@ -55,10 +40,7 @@ let            root ${pkgs.retiolum-bootstrap};            try_files $uri $uri/retiolum.sh;          ''; -        locations = [];        };      };    }; - -in -out +} diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix index 01d698c4c..99399550c 100644 --- a/lass/1systems/iso.nix +++ b/lass/1systems/iso.nix @@ -12,6 +12,30 @@ with import <stockholm/lib>;      ../2configs/nixpkgs.nix      ../2configs/vim.nix      { +      # /dev/stderr doesn't work. I don't know why +      # /proc/self doesn't seem to work correctly +      # /dev/pts is empty except for 1 file +      # my life sucks +      nixpkgs.config.packageOverrides = super: { +        irc-announce = super.callPackage <stockholm/krebs/5pkgs/irc-announce> { +          pkgs = pkgs // { coreutils = pkgs.concat "coreutils-hack" [ +            pkgs.coreutils +            (pkgs.writeDashBin "tee" '' +              if test "$1" = /dev/stderr; then +                while read -r line; do +                  echo "$line" +                  echo "$line" >&2 +                done +              else +                ${super.coreutils}/bin/tee "$@" +              fi +            '') +          ];}; +        }; +      }; +      boot.kernelParams = [ "copytoram" ]; +    } +    {        krebs.enable = true;        krebs.build.user = config.krebs.users.lass;        krebs.build.host = config.krebs.hosts.iso; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 3032e244f..9c51effdc 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -32,8 +32,6 @@ in {    time.timeZone = "Europe/Berlin"; -  virtualisation.libvirtd.enable = true; -    programs.ssh.startAgent = false;    services.printing = { diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 3006e9dfb..7b38e44c6 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -20,7 +20,7 @@ in {    };    config.krebs.buildbot.master = let -    stockholm-mirror-url = http://cgit.lassul.us/stockholm ; +    stockholm-mirror-url = http://cgit.prism.r/stockholm ;    in {      workers = {        testworker = "lasspass"; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index b53efa75d..e964704c3 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -64,7 +64,10 @@ with import <stockholm/lib>;        ];      }      { -      services.dnscrypt-proxy.enable = true; +      services.dnscrypt-proxy = { +        enable = true; +        resolverName = "cs-de"; +      };        networking.extraResolvconfConf = ''          name_servers='127.0.0.1'        ''; diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix index 971be9588..31a01c754 100644 --- a/lass/2configs/fetchWallpaper.nix +++ b/lass/2configs/fetchWallpaper.nix @@ -6,7 +6,7 @@ in {    krebs.fetchWallpaper = {      enable = true;      unitConfig.ConditionPathExists = "!/var/run/ppp0.pid"; -    url = "prism/wallpaper.png"; +    url = "prism/realwallpaper-sat-krebs.png";      maxTime = 10;    };  } diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 5309c9551..5f9800b0f 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@  {    krebs.build.source.nixpkgs.git = {      url = https://cgit.lassul.us/nixpkgs; -    ref = "5acb454"; +    ref = "c85f39e";    };  } diff --git a/shared/1systems/test-all-krebs-modules.nix b/shared/1systems/test-all-krebs-modules.nix index b42968cfb..39d7c494b 100644 --- a/shared/1systems/test-all-krebs-modules.nix +++ b/shared/1systems/test-all-krebs-modules.nix @@ -36,7 +36,6 @@ in {        enable = true;        tables = {};      }; -    nginx.enable = true;      realwallpaper.enable = true;      tinc.retiolum.enable = true;      retiolum-bootstrap.enable = true; | 
